As a vMCP process running in static mode,
I want to parse and connect to MCPServerEntry-type backends from my ConfigMap configuration,
so that I can route MCP traffic directly to remote servers without going through proxy pods.
Size: M
Dependencies: VirtualMCPServer static mode story (ConfigMap must include entry backends)
Labels: enhancement
RFC: RFC-0055
Context
Once the operator generates ConfigMaps with MCPServerEntry backends (Phase 2 operator story), vMCP needs to parse and connect to them. The static config parser in pkg/vmcp/config/config.go currently handles StaticBackendConfig without a workload type discriminator. The HTTP client in pkg/vmcp/client/client.go needs to support custom CA bundles for entry backends using self-signed certificates.
Scope
Static Config Parser (pkg/vmcp/config/config.go)
- Extend
StaticBackendConfig with:
Type field to distinguish entry backends from container/proxy backends (or use metadata)CABundlePath field for custom TLS certificate path
pkg/vmcp/aggregator/discoverer.go discoverFromStaticConfig() handles entry-type backends:
- Sets appropriate backend type/metadata
- Passes CA bundle path through to backend
HTTP Client Custom CA Support (pkg/vmcp/client/client.go)
- Extend
newBackendTransport() to accept an optional CA bundle path
- When CA bundle path is set:
- Load CA certificate from file path (mounted by operator at
/etc/toolhive/ca-bundles//ca.crt)
- Create custom
tls.Config with the CA added to the root CA pool
- Apply to the cloned
http.Transport
- When no CA bundle: use default system root CAs (existing behavior)
Auth Strategy for Entry Backends
- Entry backends use the same
OutgoingAuthConfig resolution as existing backends
externalAuthConfigRef resolves through the existing converter registry (pkg/vmcp/auth/converters/)- No new auth strategies needed — reuse
TokenExchangeConverter, HeaderInjectionConverter, UnauthenticatedConverter
Acceptance Criteria
As a vMCP process running in static mode,
I want to parse and connect to MCPServerEntry-type backends from my ConfigMap configuration,
so that I can route MCP traffic directly to remote servers without going through proxy pods.
Size: M
Dependencies: VirtualMCPServer static mode story (ConfigMap must include entry backends)
Labels:
enhancementRFC: RFC-0055
Context
Once the operator generates ConfigMaps with MCPServerEntry backends (Phase 2 operator story), vMCP needs to parse and connect to them. The static config parser in
pkg/vmcp/config/config.gocurrently handlesStaticBackendConfigwithout a workload type discriminator. The HTTP client inpkg/vmcp/client/client.goneeds to support custom CA bundles for entry backends using self-signed certificates.Scope
Static Config Parser (
pkg/vmcp/config/config.go)StaticBackendConfigwith:Typefield to distinguish entry backends from container/proxy backends (or use metadata)CABundlePathfield for custom TLS certificate pathpkg/vmcp/aggregator/discoverer.godiscoverFromStaticConfig()handles entry-type backends:HTTP Client Custom CA Support (
pkg/vmcp/client/client.go)newBackendTransport()to accept an optional CA bundle path/etc/toolhive/ca-bundles//ca.crt)tls.Configwith the CA added to the root CA poolhttp.TransportAuth Strategy for Entry Backends
OutgoingAuthConfigresolution as existing backendsexternalAuthConfigRefresolves through the existing converter registry (pkg/vmcp/auth/converters/)TokenExchangeConverter,HeaderInjectionConverter,UnauthenticatedConverterAcceptance Criteria
StaticBackendConfigextended to support entry backend type and CA bundle pathvmcp.Backendfor entry-type backendstask test)